Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Concurrency and Zero-Knowledge Protocols Amit Sahai MIT Laboratory for Computer Science.

Published byMorgan Taylor Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Concurrency and Zero-Knowledge Protocols Amit Sahai MIT Laboratory for Computer Science."— Presentation transcript:

1 1 Concurrency and Zero-Knowledge Protocols Amit Sahai MIT Laboratory for Computer Science

2 2 Zero-knowledge Proofs [GMR85] One party (“the prover”) convinces another party (“the verifier”) that some assertion is true, The verifier learns nothing except that assertion is true!

3 3 Zero-knowledge Proofs (cont.) Vast applicability throughout Cryptography: Identification / Authentication Protocols: [GMR, FS, …] Prove knowledge without revealing it. “Next Generation” Protocols: [GMW] Key Escrow [M, MS, VvT, …] Electronic Elections [C, CF, C, OO, … ] Anonymous Credentials [C, CvH, LRSW, …] Dealerless Poker [GMW, BCR, C, …]

4 4Assumptions Almost all previous research assumes: Sequential communication At most 2 parties communicating at any given time Mutually aware, cooperating parties ProverVerifier

5 5 The Internet Ebay Yahoo

6 6 The Internet Concurrent, interleaved communication Mutually unaware parties, acting locally Ebay Yahoo

7 7 Challenge: Global Coordinated Attack Yahoo

8 8 Global Coordinated Attack Yahoo

9 9 Our Context: Zero Knowledge Prover Honest Verifier Corrupted Verifiers trying to extract Prover’s secrets.

10 10 The Goal Extend theory of Zero-Knowledge Protocols to provide security in Internet setting. [Dwork, Naor, Sahai -- STOC ‘98] [Dwork, Sahai -- Crypto ‘98] + Ongoing work

11 11Outline 1. Zero Knowledge: Definitions and example 2. What goes wrong 3. How to fix it

12 12 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that assertion x is true. When x is true, Verifier always accepts. When x is false, Verifier accepts only with negligible prob. no matter what strategy Prover uses.

13 13 (Ordinary) Zero-Knowledge [GMR] v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, can simulate interaction with any Verifier, w/o access to Prover. Formally, for every verifier, there is probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

14 14 Zero Knowledge [GMR] ? v1v1 p1p1 v2v2 pkpk accept/ reject v1v1 p1p1 v2v2 pkpk accept/ reject

15 15 When assertion is true, can simulate interaction with any Adversary, w/o access to Prover. V 1 V 2 … V n 1 2 1 2.. 1 2 3 4.. 3 4 3 4 Concurrent Zero Knowledge Formally, for every Adversary, there is a probabilistic efficient simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Adversary’s actual view of interaction with Prover.

16 16 Deniable Message Authentication Monica Linda Bill

17 17 Example: Zero-Knowledge Proofs for NP

18 18 Cryptographic Commitment Public Key Encryption Scheme (PK,SK) Assume E PK is always one-to-one. To commit to a string x, I send y = E PK (x;r). To open the commitment, I reveal (x,r). Commitment is secret. Because E PK is 1:1, can’t change my mind about x.

19 19 The Power of NP NP is very useful cryptographically, e.g.: Say y=E PK (x;r) and y’=E PK’ (x’;r’). “y and y’ are encryptions of same message” is in NP! Say f is efficiently computable. “y’ is the encryption of f applied to the decryption of y”  NP If we could prove NP statements in ZK,...

20 20NP-Completeness Amazing thing about NP: There are languages complete for NP! e.g. Graph 3-Colorability

21 21 NP-Completeness (cont.) y=E PK (x;r) and y’=E PK’ (x;r’) “y and y’ are encryptions of same message” reduction

22 22 ZK Proof for Graph 3-Colorability Input: Graph G=(V=  1, …, n ,E). Prover Knows: 3-coloring c: V   R,B,G  First, Prover picks random permutation  :  R,B,G    R,B,G , and applies to c : 

23 23 ZK Proof (cont.) Prover Verifier Commit(  (c(1)), …, Commit(  (c(n)) e  (i,j)  R E Reveal  (c(i) and  (c(j) Verifier accepts if  (c(i)   (c(j)

24 24 ZK Proof (cont.)

25 25 Related Work Large body of work on Concurrent Security: Focus: Integrity/Consistency of System State Locking and preventing Deadlock, Starvation Preventing inconsistent data reads Synchronizing databases Our Focus: Completely Different Not state, but preventing information leakage from protocol abuse.

26 26 Problem: Coordinated Attacks Yahoo

27 27 Problem: Coordinated Attacks Yahoo

28 28 Problem: Coordinated Attacks Ebay Yahoo

29 29 Problem: Coordinated Attacks Yahoo

30 30 The Internet Ebay Yahoo

31 31 Modern Cryptography: Zero-Knowledge Proofs Amit Sahai MIT

32 32Cryptography Encryption, Digital Signatures, etc. Protocols! Identification, Authentication... Electronic Elections Pseudonym Systems... Today’s focus: Zero-Knowledge Proofs!

33 33Proofs What is a proof? Lemma 1: blah blah blah. Proof: blah blah blah Lemma 2: blah blah. Proof: blah blah blah blah blah blah blah blah blah! QED. © Microsoft Proof Wizard TM.

34 34Proofs What is a proof to a computer? Verify(assertion, Proof) = accept Verify(assertion, Proof) = reject What kinds of assertions+proofs can computers verify?

35 35 Example: Satisfiability Consider assertions of form: “Formula  is satisfiable” e.g.  = (x 1  x 2 )  (x 2  x 3 ) Proof = Satisfying Assingment x 1 = true, x 2 = false, x 3 = true Verify( , (a 1,a 2,a 3 )): Plug in a 1,a 2,a 3 into . Accept if  becomes true.

36 36NP NP = assertion “types” (aka languages) with proofs that are: efficiently computer-verifiable reasonable length Very rich class. e.g. Satisfiability  NP Not the end of the story!

37 37 Probabilistic Proofs Must proof be totally convincing? Alternative: If proof correct, Verifier accepts always If proof wrong, Verfier rejects with high prob.

38 38 Interactive Proofs Prover and Verifier talk back and forth. Prover tries to convince Verifier that assertion is true. If assertion is false, Prover fails with high prob. Now, Proof is a Protocol.

39 39 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. (1-2 -100 ) no matter what strategy Prover uses.

40 40 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. (1-2 -100 ) no matter what strategy Prover uses. 1/2

41 41 Zero Knowledge Prover convinces Verifier, but... Verifier learns nothing except that assertion is true! What does that mean??

42 42 Defining Zero Knowledge Natural Suggestion: Verifier should not be able to prove assertion to anyone else. …what if Verifier already knew how to prove assertion?...maybe Verifier learned something else...

43 43 Magic Tricks Magic tricks are like zero-knowledge proofs: Good magic tricks reveal nothing about how they work. What makes a magic trick good?

44 44 A Magic Trick Two balls: Purple and Red, otherwise identical Blindfolded Magician You give a random ball to magician

45 45 A Magic Trick (cont.) Magician tells you the color! Magician proves he can distinguish balls blindfolded. You learn nothing except this. Abracadabra, Goobedy goo! It is Red! Wow! He’s so cool!

46 46 A Magic Trick (cont.) You knew exactly what magician was going to do. And he did it! Since you knew to begin with, you could not have learned anything new! It’s Red! I knew he would say that.

47 47 Zero Knowledge Idea for definition: Verifier “knows” what is going to happen. CS-speak: Verifier can simulate it herself! Abracadabra, Goobedy goo! It is Red! Simulation

48 48 Zero-Knowledge Proof v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, Verifier can simulate her view of the interaction on her own. Formally, there is probabilistic poly-time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover. Note: ZK for honest verifier only.

49 49 Zero Knowledge Proof ? v1v1 p1p1 v2v2 pkpk accept/ reject v1v1 p1p1 v2v2 pkpk accept/ reject

50 50 Dishonest Verifiers Ha ha!

51 51 Zero-Knowledge Proof v1v1 p1p1 v2v2 pkpk accept/reject When assertion is true, any Verifier can simulate her view of the interaction on her own. Formally, for every verifier, there is probabilistic poly- time simulator such that, when given a true assertion, simulator output is computationally indistinguishable from Verifier’s actual view of interaction with Prover.

52 52 Zero-Knowledge Proofs for NP

53 53 Another Magic Trick Magician asks you to think of either “Apple” or “Banana” Magician then gives you a sealed box.

54 54 Mind Reading You tell Magician what you were thinking. I was thinking of a banana.

55 55 Banana Mind Reading (cont.) Magician tells you to open box, and read piece of paper in box. Magician proves he can predict what you will say. How did he do that!!

56 56 Mind Reading (cont.) Again, you knew what was going to happen.  Zero-Knowledge I was thinking of a banana. Simulation Banana

57 57 Mind Reading (cont.) But why was it convincing? Because Magician committed to his guess before you told him.

58 58 Cryptographic Commitment Public Key Encryption Scheme (PK,SK) Assume E PK is always one-to-one. To commit to a string x, I send y = E PK (x;r). To open the commitment, I reveal (x,r). Commitment is secret. Because E PK is 1:1, can’t change my mind about x.

59 59 The Power of NP NP is very useful cryptographically, e.g.: Say y=E PK (x;r) and y’=E PK’ (x’;r’). “y and y’ are encryptions of same message” is in NP! Say f is efficiently computable. “y’ is the encryption of f applied to the decryption of y”  NP If we could prove NP statements in ZK,...

60 60NP-Completeness Amazing thing about NP: There are languages complete for NP! e.g. Graph 3-Colorability

61 61 NP-Completeness (cont.) y=E PK (x;r) and y’=E PK’ (x;r’) “y and y’ are encryptions of same message” reduction

62 62 ZK Proof for Graph 3-Colorability Input: Graph G=(V=  1, …, n ,E). Prover Knows: 3-coloring c: V   R,B,G  First, Prover picks random permutation  :  R,B,G    R,B,G , and applies to c : 

63 63 ZK Proof (cont.) Prover Verifier Commit(  (c(1)), …, Commit(  (c(n)) e  (i,j)  R E Reveal  (c(i) and  (c(j) Verifier accepts if  (c(i)   (c(j)

64 64 ZK Proof (cont.)

65 65 ZK Proof: Analysis Suppose Graph is NOT 3-colorable. Then at least one edge where colors equal.  Verifier catches with prob. 1/m. Repeat protocol 100m times,  Verifier catches with prob. (1-2 -100 )

66 66 ZK Proof: Analysis (cont.) Why Zero-Knowledge? Verifier knows what will happen. Simulator: Pick e  (i,j)  R E Pick random different colors a,b. Commit to arbitrary values for all colors except for i and j. For i and j, commit to a,b. Imitate rest of protocol.

67 67Simulator

68 68 ZK Proof (Simulated)

69 69 ZK Proof: Analysis (cont.) Only difference between real & simulated: In real life, commitments are to valid coloring. In simulator, commitments are to invalid coloring. But commitments are secret, by security of encryption scheme.  Simulator output and real life are computationally indistinguishable.

70 70 ZK Proof: Analysis (cont.) This is proof of ZK for Honest Verifier. Same protocol ZK for Dishonest Verifiers. Proof: same idea, more technical. Not surprising... Verifier’s only job: pick random edge.

71 71 ZK Proof in a nutshell

72 72 Consequences

73 73Identification Most basic application of ZK: Identification. To prove identity, just prove in ZK that some graph is 3-colorable. 3-coloring is like password Even the computer you are logging on to will never find out your password!  Idea used to make signatures too.

74 74 Bigger Picture Anonymity: Anonymous Credentials Pseudonyms (www.zeroknowledge.com) e-cash Fair exchange Distributed Encryption, Signatures General Multi-Party Computation Mental Poker

75 75 Mental Poker Want to play poker totally in your mind? No physical cards. No trusted dealer. Main Problem: How to deal cards fairly?

76 76 Mental Poker (cont.) Basic idea: Each player shuffles deck, by picking random permutation  i. Player i gets card  1 (  2 (..(  n (i))..). No player can control his card. Might as well pick random  i. Shuffle is random + hidden. But how does player i get proper card?

77 77 Mental Poker (cont.) Player i wants card  1 (  2 (..(  n (i))..) Player i asks for  n (i),  n-1 (  n (i)),... Say Player i needs  k (x): Use “Oblivious Transfer”: Player i finds out  k (x) for one value x. Player k does not learn x. Uses ZK as subroutine.

78 78 Mental Poker (cont.) Problem: Player k may not give correct  k (x). Solution: Every player commits at beginning to  k (1),…,  k (52) Player k proves in ZK that it gave correct value for  k (x)

79 79 Mental Poker (cont.) Problem: Player i may not ask for correct x. Solution: Player i proves in ZK that it is asking for correct x each time.  Each player gets proper random cards at end of “dealing” phase.

80 80 Mental Poker (cont.) At end of game, if Player i reveals card: Player n opens commitment to  n (i) Player n-1 opens commitment to  n-1 (  n (i))... Player 1 opens commitment to  1 (  2 (..(  n (i))..) All players verify.

81 81 Any Mental Game Using these techniques, can actually play any mental game! For any efficient function f, n players with secret inputs x 1,..., x n can: Learn y=f(x 1,..., x n ) s.t. No players learn anything except y. In particular, x 1,..., x n still secret. e.g. Two people can figure out who has bigger salary, without revealing salary!

82 82Conclusions Zero Knowledge Proofs Simple, beautiful idea. Fundamental to Cryptography Can prove all NP statements in ZK (assuming one-way functions exist) Have a great vacation!

83 83 Mental Poker (cont.) Player i needs  k (x). Use “Oblivious Transfer”: Player k commits to  k (1),…,  k (n) (at start) “Player i gets  k (x) without Player k finding out x” Player i proves in ZK that only got 1 value. Player k proves in ZK that value is consistent with commitment.

84 84 ZK Proof (cont.) Prover Verifier

85 85 ZK Proof (cont.) Prover Verifier

86 86 ZK Proof (cont.) Prover Verifier

87 87 ZK Proof (cont.) Prover Verifier

88 88 Example: G RAPH I SOMORPHISM [GMW86] 1. 2. 4. Prover Verifier Claim: Protocol is an (honest ver) SZK proof. 3.

89 89 I love you. Mind Reading Two balls: Purple and Red, otherwise identical Blindfolded Magician You give a random ball to magician

90 90 A Magic Trick (cont.) You knew exactly what magician was going to do. He did it! Since you knew to begin with, you could not have learned anything new! It’s Red! I knew he would say that.

91 91 A Magic Trick

92 92 Interactive Proof System v1v1 p1p1 v2v2 pkpk accept/reject ProverVerifier Interactive protocol where Prover tries to convince probabilistic Verifier that x is true. When x is true, Verifier accepts always. When x is false, Verifier rejects w.p. 1/2 no matter what strategy Prover uses.

93 93Philosophy Is my random number generator secure? System Designer for Hospital Will my protocols work securely together? Is it secure vs. attack A? Is it secure vs. attack B?

94 94 Holy Grail Guarantee: Nobody can break system in  100 years. Unfortunately, we don’t know how to do prove such theorems.  Need to make assumptions.

95 95 One Approach... It’s so complicated! It must be secure! Cryptosystem XYZ (Patent Pending)

96 96 One Approach… (cont.) Cryptosystem XYZ Broken 2 Days After Release!

97 97Examples PKCS #1 (Encryption Standard). DVD Encryption Digital Cellular Phone Encryption (GSM) … Lesson: Intuition often fails to hold for cryptography. Must be cautious!

98 98Assumptions Some assumptions have held up over the years. e.g. problems believed to be hard: Discrete Logarithm: Given y=g x (mod p), find x. RSA: Given y=x e (mod N=pq), find x. Key: Red = Secret, Blue = Known

99 99 Security Cryptographic Primitives RSA Discrete Log Assumptions “My encryption scheme is secure against CPA if RSA is hard to invert.”

100 100 Better Security Cryptographic Primitives RSA Discrete Log Assumptions One Way Functions Lattice Problems...

101 101 Better Security Cryptographic Primitives RSA Discrete Log Assumptions One Way Functions Lattice Problems... “My signature scheme is secure against CMA if One-Way Functions exist…” “One-Way Functions exist if either RSA is hard, or Discrete Log is hard, or …”

102 102Philosophy Cryptography: Systematically address as many concerns as we can. Will my protocols work securely together? Is it secure vs. attack A? Is it secure vs. attack B? Is my random number generator secure?

103 103 Randomness: Why? Example: Public-Key Encryption Deterministic Encryption? Two possible messages: “Attack!” “Retreat!”  Completely insecure!  Need Randomization. Many other examples throughout Crypto.

104 104Randomness True randomness hard to come by. Can get a source with moderate entropy. Mouse/Keyboard movements Radioactive decay Refine  a few truly random bits. Need many more!  Need to generate Pseudo-Random bits from a few truly random bits

105 105 Pseudo-Random Generator (PRG) Truly Random Seed Pseudo-Random Generator ……………Lots of pseudo-random bits…………… deterministic procedure

106 106Pseudo-Random? What are “good” pseudo-random bits? Statistical tests? Linear Congruential Generator(a,b,m,y 0 ): y n =ay n-1 +b (mod m) passes lots of tests. Insecure in practice! Need definition that guarantees security.

107 107 A.I. Turing Test

108 108 Cryptographic Turing Test ? Our System Perfectly Secure System

109 109 Def. for PRG ? Truly Random Bits Random Seed PRG

110 110 Is it good enough? Consider Encryption Scheme, secure if use truly random bits. Can we use Encryption w/PRG? Consider any poly-time attacker s.t.: Breaks Encryption w/PRG Fails vs. Encryption w/true random bits  Encryption + Attacker = Distinguisher for PRG.  Contradiction.

111 111 Reductions and Security Want: Assumption  Security How to prove? Use Contrapositive: Successful Attack  Break Assumption Must Give Reduction!

Download ppt "1 Concurrency and Zero-Knowledge Protocols Amit Sahai MIT Laboratory for Computer Science."

Similar presentations

NP-Complete Problems Coloring is complete In particular, we can reduce solving any search problem to finding a valid coloring for some collection of circles!

NP-Complete Problems Coloring is complete In particular, we can reduce solving any search problem to finding a valid coloring for some collection of circles!
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.

1 Slides by Roel Apfelbaum & Eti Ezra. Enhanced by Amit Kagan. Adapted from Oded Goldreich’s course lecture notes.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

Similar presentations

Ads by Google